As discussed on Zulip multiple modules inside WildFly-Core, WildFly and maybe other components shall prevent from XXE. Currently some codepoints use a native javax.xml.parsers.DocumentBuilderFactory or javax.xml.stream.XMLInputFactory. Restriction of XML External Entity Reference is lacking.
- Provide factories setting secure defaults (here)
- Use the new factories at relevant places
The approach is to try to set/activate the relevant properties and log a warning if the underlying Factory does not support the property. The log shall appear only once (per classloader).